Outlook not displaying images

(Gregory Levine) #1

Currently dealing with an Outlook issue for one of my clients. Traffic forwarding is via PAC file URL. When users open up an email with Outlook, no images embedded in the email are displayed. When we point user to their local proxy, restart Outlook, users can see the images in the emails. But when user Internet traffic is routed to Zscaler via Pac file URL, no images displayed in the emails.

I believe Zscaler is configured correctly. I suspect some type of incompatibility between Outlook and PAC file URL used to route user Internet traffic to Zscaler.

Any suggestions on how to resolve this matter are greatly appreciated.


(Scott Bullock) #2

Hi Gregory,
It sounds like you may be using a PAC only deployment; is this correct, or can you describe in some more detail how the traffic forwarding is setup?

Assuming you are PAC only, you may see some issues in Apps like this, Apps like Outlook and Metro Apps can generate the challenge you’re encountering as they present to Zscaler using an IE/Edge user-agent, however, they are not like the fully-fledged browsers they mask as, and do not handle http-authentication and cookies well, if at all. To overcome this you can use our IP Surrogate for Known Browsers capability, or perhaps consider Zscaler App instead of PAC only.


Hope this help, do let me know if I’d made any incorrect assumptions about your setup.



(Gregory Levine) #3

Thanks for the response Scott! Your assumption is correct re PAC file URL only. We tried to convince the client to utilize GRE/IPSec Tunnels and/or ZAPP, but they insisted on PAC file only.

Based on the documentation for IP Surrogate, it does not sound like it supports PAC file only. Requirements for IP Surrogate:
(1) To use this feature, your organization must use one of the following methods to forward traffic to the service:
* A GRE or IPsec tunnel without NAT
* Forward proxy chaining with the XFF Forwarding option enabled on the location
* Your organization subscribes to a dedicated proxy port
(2) The location must have authentication enabled.

We do have SAML authentication enabled, but PAC file only for traffic forwarding. Do you think we should still try to enable IP Surrogate for Known Browsers?


(Scott Bullock) #4

IP Surrogate does require a tunnel, so enabling in a PAC only deployment won’t have the desired effect. It’s for reasons like this that we do have Tunnels (Network and/or Z-App) as part of our best practices.

(Rajeshkumar Chemalli) #5

Hi Greg,

As per my discussion with Swapnil the images url is getting blocked as it is getting tagged under the user “noauth-useragent”. Suggested some changes, he is working on it.